Virus Detection in ModSecurity

Recently we had a client application that allowed file uploads which was flooded with various viruses and malware that were uploaded to the server. The client's WAF requirements were to detect the malware before it hit the back-end server and blacklist the offenders. After all, if the client is uploading malware, you probably don't want to allow them access to the rest of your site either. This is, of course, a double edge sword, as it has the possibility of blocking valid IPs, such as those behind a NATted address. In this case, that was not a concern.

ClamAV was the obvious choice for virus detection. ModSecurity even comes with a Perl script to make the configuration easy. The setup is well documented in the ModSecurity Handbook. However running external Perl scripts from ModSecurity may not be the most efficient technique for high traffic sites, especially if the clamscan executable is used.

As I've mentioned before, the ModSecurity rules language is pretty easy to use but at the end of the day can be too rigid as its bound by the Apache configuration syntax. The good news is that ModSecurity can process Lua scripts internally and efficiently, thus we can have the flexibility of a complete scripting language and still have access to the request context from our code.

Before I show the solution created, there are a couple of points I want to note:

We used clamdscan (and not clamscan) to avoid creating a new instance of the ClamAV engine on every file inspection.
We added the clamav user to the apache group (assuming apache is the group that runs the httpd)
We set the SecUploadFileMode direction to 0640 to allow group read.
The script uses blacklist to blacklist IPs. The script is available here

The Lua script below runs clamdscan on all uploaded files. If a virus is detected, the request is denied, plus the remote IP address is blacklisted for one hour.

--[[
  This script can be used to inspect uploaded files for viruses
  via ClamAV. To implement, use with the following ModSecurity rule:

  SecRule FILES_TMPNAMES "@inspectFile /opt/modsecurity/bin/modsec-clamscan.lua"  
"phase:2,t:none,log,deny"

  Author: Josh Amishav-Zlatin
  Requires the clamav-daemon and liblua5.1-rex-pcre0 Debian packages (or other 
  OS equivalent)
]]--

function main(filename)
  local rex = require "rex_pcre" 
  local remote_addr = m.getvar("REMOTE_ADDR"); -- Retrieve remote IP address

  -- Configure paths
  local clamscan  = "/usr/bin/clamdscan"
  local blacklist = "/opt/modsecurity/bin/blacklist"
  local duration  = "3600"

  -- The system command we want to call
  local cmd = clamscan .. " --stdout --disable-summary"

  -- Run the command and get the output
  local f = io.popen(cmd .. " " .. filename)
  local l = f:read("*a")
  m.log(9, l)

  -- Check the output for the FOUND or ERROR strings which indicate
  -- an issue we want to block access on
  local isVuln = rex.match(l, "FOUND")
  local isError = rex.match(l, "ERROR")

  if isVuln ~= nil then
    local b = io.popen(blacklist .. " block " .. remote_addr .. " " ..  duration)
    return "Virus Detected"
  elseif isError ~= nil then  
    return "Error Detected"
  else
    return nil
  end
end